test

SunScreen 3.2 Administration Guide

Setting Up High Availability (HA)

See Chapter 5, Using High Availability and "Encryption, Tunneling, and Virtual Private Networks" in SunScreen 3.2 Administrator's Overview before using the command line to set up HA.

  1. To install HA on the Screen designated to be the primary HA Screen, type the following:


    # ssadm ha init_primary interface

    This step creates a new HA cluster containing one Screen.

  2. To install HA on the Screen designated to be the secondary HA Screen type the following:


    # ssadm ha init_secondary interface primaryIP

    Where:

    • interface is the interface to be used for the HA heartbeat and synchronization

    • primaryIP is the IP address (on the HA network) of the primary Screen in the cluster

    Note -

    You can receive the following error message after you issue the ssadm ha init_secondary command because the primary screen has not sent the policy to the secondary screen. This is normal and the error message can be ignored.


    Error: No filtering interfaces defined.

  3. To add the HA secondary Screen to the existing HA cluster, execute the following command on the primary machine in the cluster:


    # ssadm ha add_secondary secondaryIP

    Where secondaryIP is the IP address (on the dedicated HA network) of the secondary Screen to be added.

    Note -

    After adding an HA secondary Screen and activating your policy, the new secondary Screen may become active. If you need to perform additional administration on the primary Screen, first direct the secondary Screen to become passive so that you can communicate with the primary Screen.

To Allow Non-Administrative Traffic on an HA Network

By default, only administrative traffic is allowed on the HA interface (ping and SunScreen Administration services). This design keeps the network as secure as possible. However, sometimes administrators have some need to open up other services on this private network.

This can be accomplished by adding filtering rules that include the HA network as the destination address. For example, suppose that the dedicated HA network is 172.16.0.0/24. The following policy would allow telnet traffic to and from any address on the HA network.

  1. Add the filtering rule as follows:


    edit> list interface qfe0 
"qfe0" HA "hanetwork"  INCOMPLETE
edit> list address
hanetwork "hanetwork" RANGE 172.16.0.0/24
edit> list rule 1
1 "telnet" "hanetwork" "hanetwork" ALLOW

    The destination address must be the same network object that is used in the interface definition. An equivalent object with a different name will not work.

    For example, the following change would work, since only the source is a newly defined object. 


    edit> add address hanetwork2 RANGE 172.16.0.0/24 
edit> replace rule 1 telnet hanetwork2 hanetwork ALLOW
    However, the below change would not work, since the destination address object is not the same exact object that is defined in the HA interface definition: 

    edit> add address hanetwork2 RANGE 172.16.0.0/24 
edit> replace rule 1 telnet hanetwork hanetwork2 ALLOW

To Remove an HA Screen

HA setup requires commands that are outside the configuration editor. Removing the HA setup consists of removing the HA_* options from the Screen objects on the appropriate machines. The three steps below assume the following:


edit> list screen
"vorticity" MASTER "barotropic" CDP
RIP NIS HA_SECONDARY HA_IP 129.192.1.2
"barotropic" ADMIN_CERTIFICATE "barotropic.admin" CDP
DNS NIS HA_PRIMARY HA_IP 129.192.1.5 HA_ETHER 8:0:20:9e:e0:66

  1. Remove the HA Screen:


    edit> del screen vorticity

  2. Redefine the primary Scrren to no longer be an HA-PRIMARY::


    edit> add screen barotropic ADMIN_CERTIFICATE barotropic.admin CDP DNS NIS

  3. Save and activate your configuration.

To View HA Information

The next two steps display information such as the current active or passive status of the HA machine in question and the current state of the HA daemon.

    Using local administration, type the following:


    # ssadm ha status

    Using remote administration, use the -r flagssadm with the -r option to display the same information:


    # ssadm -r Screen_name ha status

    To view the status of all HA machines in a cluster, type the following from the primary HA machine:


    # ssadm ha status -Z